or Connect
AppleInsider › Forums › Software › Mac OS X › Apple's secret "Back to My Mac" push behind IPv6
New Posts  All Forums:Forum Nav:

Apple's secret "Back to My Mac" push behind IPv6

post #1 of 83
Thread Starter 
The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here's why, and what it means for users on every platform.

Not Enough Numbers

The primary problem with today's IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren't handed out per device as needed; they're allocated in sequential blocks to companies.

For example, Apple owns the entire 17.x.x.x "Class A" subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT&T 12.x.x.x; and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 207.46.0.0 - 207.46.255.255.

The world's IPv4 numbers run out at 255.255.255.255. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today's NAT (Network Address Translation) does.

The problem with NAT

NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren't valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.

NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.

Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.



NAT as a refuge for the insecure

NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.

Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good.

This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That's the task of Apple's Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.

The promise of IPv6

IPv6's 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today's Internet Protocol, including the barriers erected by layers of NAT.

One big feature is security: all IPv6 traffic can be encrypted via a built-in component of the protocol. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything can be encrypted at the network layer in IPv6 using IPSec. This can be automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."

Rather than relying on Windows' NAT diapers for "security through obscurity," IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.

While most vendors have released IPv6 support for their operating systems, having that support doesn't make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.

However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.

A killer app for IPv6

The advantages of IPv6 are both obvious and largely invisible. Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There's no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.

Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. However, Apple's AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.

Apple's WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple's nearly silent support for IPv6 is interesting in itself, but what's more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.



On page 2 of 2: Why Apple can push IPv6; Apple, MobileMe, Back to My Mac, and IPv6; and IPv6 for MobileMe web apps.

Why Apple can push IPv6

So far, the adoption of IPv6 has appeared to directly offer users too little to warrant much investment. You can currently search Google via IPv6, or stream video, or access USENET newsgroups, but users won't see any real advantage to do that using IPv6. Without any demand for IPv6, the only reason to upgrade or build out support for it is for bragging rights or progressive humanitarianism.

The China Next Generation Internet initiative spent billions to built out an IPv6 backbone in time for the Olympics. The US government recently announced that 26 agencies met a 2005 mandate to support IPv6 traffic over their networks. Other groups provide access to free content over IPv6 in hopes of spurring adoption. Those efforts haven't done much to actually get a sizable proportion of Internet traffic on IPv6. A recent study reported by Arbor Networks Security found only 0.002% of all Internet traffic used IPv6, and that just 0.4% of the Alexa Top 500 sites use IPv6.

While Apple can't single-handedly transfer the Internet to IPv6, it can provide killer apps that will drive adoption among consumers. That kind of thing is right up Apple's Infinite Loop alley. The company pushed for adoption of the MPEG AAC codec with iTunes and the iPod, upgrading the world from MP3 while preventing the world's music from being locked up in Sony's ATRAC or Microsoft's Windows Media DRM. Most other music players now support AAC as well.

Apple then got behind H.264 video and started pushing hard, even while file traders complained that Apple should just stick with the well known old variants of H.263 codecs used by DIVX and others, or use the proprietary codecs used by Windows Media Video and Adobe Flash. The success of iTunes helped push even Adobe's Flash to H.264, and convinced Google and the BBC to serve their video content to iPhones using standard MPEG H.264 rather than Flash or Windows Media.

Apple, MobileMe, Back to My Mac, and IPv6

Apple's relatively small but high-impact market power has pushed a number of other open standards. So how can Apple push IPv6? One killer app for IPv6 is already being sold: Back to My Mac (BTMM ) works by tunneling IPv6 traffic between machines over the IPv4 Internet using IPSec.

This enables users on systems registered with MobileMe to find services on their other systems from anywhere on the Internet, and then initiate a secure connection between them that works as a Virtual Private Network (VPN), with all traffic being transmitted through an encrypted tunnel that pierces through the permissive Internet. Why Apple isn't advertising this service better is a bit of a mystery. Linux and Vista don't do this, and Google can't offer it as a free service.

In order for BTMM to work, subscribers need to have a compatible router that supports either the convoluted "Universal Plug & Play," or NAT-PMP (NAT Port Mapping Protocol), a system Apple developed and released as an open standard. Apple also sells popular AirPort WiFi routers that support it.



IPv6 for MobileMe web apps

A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.

By promoting MobileMe as an IPv6-savvy service, Apple could not only advertise (and deliver!) IPSec security for web apps users, but also have an additional reason to recommend its own AirPort routers which support IPv6 traffic and tunneling through an IPv4 Internet Service Provider. It would also cast an additional halo around Apple's pioneering technology efforts. Add an IPv6 icon to Safari that lights up when you visit an IPv6 site, and Apple would end up with another marketable feature for promoting IPv6 to consumers.

Nobody else sells routers, online services, and desktop computers together, giving Apple a unique opportunity to promote IPv6 in a way that not only benefits the company and users, but would also help nudge the industry toward IPv6 compliance and adoption in the same way that it has corralled the industry's cats into an orderly herd behind H.264 and AAC. It would also help silence the incessant complaints that suggest Apple is indifferent about security or is somehow unable to deliver secure products.
post #2 of 83
Quote:
Originally Posted by AppleInsider View Post

A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.

but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2
Quote:
Data transaction security in MobileMe's web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple's cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser's SSL lock icon with web security.


I find the condescending view of NAT's side benefit of being a hardware firewall as being a diaper to also be offensive. Take the notion that hardware firewalls should be needed since your OS should be written securely farther and you get that software firewalls shouldn't be needed either. After all if every application on your system is written securely (and the user doesn't do anything stupid) it shouldn't be needed. Security is as much about finding the single most robust solutions as it is about theoretical limitations, and hardware firewalls provide a level of security and isolation of vulnerabilities to be lauded.
post #3 of 83
Apple's IPv4, never mind IPv6, firewall user interface is completely shocking, needing huge improvement before Mac OS X can be safely deployed directly on the net using IPv6.
Jan

http://theFruitSoup.com - http://ColinClose.com/ - Download some free music I am involved in!
Reply
Jan

http://theFruitSoup.com - http://ColinClose.com/ - Download some free music I am involved in!
Reply
post #4 of 83
Quote:
Originally Posted by AppleInsider View Post

The world's IPv4 numbers run out at 256.256.256.256.

Sorry to nitpick, but I think you meant 255.255.255.255. Yes, there are 256 values for each octet, but it starts at zero, so 255 is the max...

Other than that, great article (as always)!


Bender: Whoa, what an awful dream! Ones and zeroes everywhere! And I thought I saw a two...
Fry: It was just a dream, Bender. There's no such thing as two!
-Futurama, "A Head in the Polls"
post #5 of 83
The comment "Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. " paints a picture that the routers on the Internet are general purpose systems, which they are not. Most of the Internet routers are proprietary systems made by Cisco or Juniper, and are there to move packets at a very different rate then general purpose OS's.
post #6 of 83
Other other thing about NAT is most ISP is you only get 1 ip so you need NAT to use more then 1 system.

Do you want ISP like comcast to make you pay $5 /mo on top of your internet fee per system to get there own IPv6 IP?
post #7 of 83
Quote:
Originally Posted by AppleInsider View Post

Apple has corralled the industry's cats into an orderly herd behind AAC.

unfortunately, this just isn't true. Look at all those DRM-free stores (Amazon, eMusic etc.) selling mp3-only tracks when they could just as easily provide an AAC option (which would be cheaper for them - purveyors of mp3 encoded tracks have to pay mp3 licensing royalties, these kind of royalty payments do not exist for AAC).

Sadly, most of the world thinks that AAC is Apple's proprietary format despite the fact that it was developed by the MPEG. They should have called it mp4 and then average joe would understand that it's an evolution of mp3.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #8 of 83
Quote:
Originally Posted by Joe_the_dragon View Post

Other other thing about NAT is most ISP is you only get 1 ip so you need NAT to use more then 1 system.

Do you want ISP like comcast to make you pay $5 /mo on top of your internet fee per system to get there own IPv6 IP?

You only get one IP because there aren't enough addresses to give everyone their own IP. That's the whole point of IP6. With that, an ISP could happily give you one billion unique IP addresses and have no fear of being anywhere close to running out of addresses to give to their other customers.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #9 of 83
"One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free.""

Whoa, whoa. Source, please!
I know that implementing IPsec is mandatory in IPv6, but I'm pretty damn sure that all data IS NOT automatically encryted!!
post #10 of 83
Quote:
Originally Posted by AppleInsider View Post

One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."

This is wrong.

http://episteme.arstechnica.com/eve/...m/696007413931
post #11 of 83
Quote:
Originally Posted by AppleInsider View Post

One big feature is security: all IPv6 traffic is encrypted.

Okay, I'll nitpick some more. What is your source on this statement? IPSec implementation is mandated by IPv6, but all IPv6 traffic is NOT encrypted by default as far as I know...

Edit: Looks like two people beat me to it
post #12 of 83
Maybe people don't want every device on their home network to be addressable by the world. In theory it should be safe, if every device vendor implements proper security, but in practice they don't.
post #13 of 83
Quote:
Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background.

DHCPv6 will (allegedly) handle it, not the domain name system.
post #14 of 83
Quote:
Originally Posted by ascii View Post

Maybe people don't want every device on their home network to be addressable by the world. In theory it should be safe, if every device vendor implements proper security, but in practice they don't.

If you don't want external parties to connect to your machines, use a firewall. Either one on your home router, or a software firewall on the machine itself.
post #15 of 83
Quote:
Originally Posted by BostonBoozer View Post

Okay, I'll nitpick some more. What is your source on this statement? IPSec implementation is mandated by IPv6, but all IPv6 traffic is NOT encrypted by default as far as I know...

Edit: Looks like two people beat me to it

Ah you beat me to it!
post #16 of 83
Quote:
Originally Posted by Mr. H View Post

You only get one IP because there aren't enough addresses to give everyone their own IP. That's the whole point of IP6. With that, an ISP could happily give you one billion unique IP addresses and have no fear of being anywhere close to running out of addresses to give to their other customers.

Because they can doesn't mean they will. What business school did you go to! j/k
post #17 of 83
Quote:
Originally Posted by jcassara View Post

DHCPv6 will (allegedly) handle it, not the domain name system.

Hm? You still need AAAA and ip6.arpa records in DNS.
post #18 of 83
Quote:
Originally Posted by derekmorr View Post

Hm? You still need AAAA and ip6.arpa records in DNS.

Yes, but the DNS itself is not doing the background work exclusively.
post #19 of 83
Quote:
Originally Posted by AppleInsider View Post

The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here's why, and what it means for users on every platform.

Not Enough Numbers

The primary problem with today's IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren't handed out per device as needed; they're allocated in sequential blocks to companies.

For example, Apple owns the entire 17.x.x.x "Class A" subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT&T 12.x.x.x; and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 207.46.0.0 - 207.46.255.255.

The world's IPv4 numbers run out at 256.256.256.256. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today's NAT (Network Address Translation) does.

The problem with NAT

NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren't valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.

NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.

Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.



NAT as a refuge for the insecure

NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.

Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good.

This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That's the task of Apple's Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.

The promise of IPv6

IPv6's 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today's Internet Protocol, including the barriers erected by layers of NAT.

One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."

Rather than relying on Windows' NAT diapers for "security through obscurity," IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.

While most vendors have released IPv6 support for their operating systems, having that support doesn't make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.

However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.

A killer app for IPv6

The advantages of IPv6 are both obvious and largely invisible. Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There's no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.

Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. However, Apple's AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.

Apple's WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple's nearly silent support for IPv6 is interesting in itself, but what's more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.



On page 2 of 2: Why Apple can push IPv6; Apple, MobileMe, Back to My Mac, and IPv6; and IPv6 for MobileMe web apps.

Why Apple can push IPv6

So far, the adoption of IPv6 has appeared to directly offer users too little to warrant much investment. You can currently search Google via IPv6, or stream video, or access USENET newsgroups, but users won't see any real advantage to do that using IPv6. Without any demand for IPv6, the only reason to upgrade or build out support for it is for bragging rights or progressive humanitarianism.

The China Next Generation Internet initiative spent billions to built out an IPv6 backbone in time for the Olympics. The US government recently announced that 26 agencies met a 2005 mandate to support IPv6 traffic over their networks. Other groups provide access to free content over IPv6 in hopes of spurring adoption. Those efforts haven't done much to actually get a sizable proportion of Internet traffic on IPv6. A recent study reported by Arbor Networks Security found only 0.002% of all Internet traffic used IPv6, and that just 0.4% of the Alexa Top 500 sites use IPv6.

While Apple can't single-handedly transfer the Internet to IPv6, it can provide killer apps that will drive adoption among consumers. That kind of thing is right up Apple's Infinite Loop alley. The company pushed for adoption of the MPEG AAC codec with iTunes and the iPod, upgrading the world from MP3 while preventing the world's music from being locked up in Sony's ATRAC or Microsoft's Windows Media DRM. Most other music players now support AAC as well.

Apple then got behind H.264 video and started pushing hard, even while file traders complained that Apple should just stick with the well known old variants of H.263 codecs used by DIVX and others, or use the proprietary codecs used by Windows Media Video and Adobe Flash. The success of iTunes helped push even Adobe's Flash to H.264, and convinced Google and the BBC to serve their video content to iPhones using standard MPEG H.264 rather than Flash or Windows Media.

Apple, MobileMe, Back to My Mac, and IPv6

Apple's relatively small but high-impact market power has pushed a number of other open standards. So how can Apple push IPv6? One killer app for IPv6 is already being sold: Back to My Mac (BTMM ) works by tunneling IPv6 traffic between machines over the IPv4 Internet using IPSec.

This enables users on systems registered with MobileMe to find services on their other systems from anywhere on the Internet, and then initiate a secure connection between them that works as a Virtual Private Network (VPN), with all traffic being transmitted through an encrypted tunnel that pierces through the permissive Internet. Why Apple isn't advertising this service better is a bit of a mystery. Linux and Vista don't do this, and Google can't offer it as a free service.

In order for BTMM to work, subscribers need to have a compatible router that supports either the convoluted "Universal Plug & Play," or NAT-PMP (NAT Port Mapping Protocol), a system Apple developed and released as an open standard. Apple also sells popular AirPort WiFi routers that support it.



IPv6 for MobileMe web apps

A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.

By promoting MobileMe as an IPv6-savvy service, Apple could not only advertise (and deliver!) IPSec security for web apps users, but also have an additional reason to recommend its own AirPort routers which support IPv6 traffic and tunneling through an IPv4 Internet Service Provider. It would also cast an additional halo around Apple's pioneering technology efforts. Add an IPv6 icon to Safari that lights up when you visit an IPv6 site, and Apple would end up with another marketable feature for promoting IPv6 to consumers.

Nobody else sells routers, online services, and desktop computers together, giving Apple a unique opportunity to promote IPv6 in a way that not only benefits the company and users, but would also help nudge the industry toward IPv6 compliance and adoption in the same way that it has corralled the industry's cats into an orderly herd behind H.264 and AAC. It would also help silence the incessant complaints that suggest Apple is indifferent about security or is somehow unable to deliver secure products.


And how many security applications currently run on IPv6? To my knowledge no AV product last time I checked (last nine months). Apple's internal firewall is a joke, so tunneling IPv6 traffic is asking for some serious issues. Safari broswer and OS can fully run IPv6 unlike Windows Vista/IE junk. Oh besides only two or three US ISP vendors currently offer IPv6 services still going to loose performance do to running dual stacks. To better understand the issues the must read IPv6 book in my opinion is Running IPv6.

1Gremlin
post #20 of 83
Quote:
Originally Posted by Axcess99 View Post

but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2



I find the condescending view of NAT's side benefit of being a hardware firewall as being a diaper to also be offensive.

Offensive? A self-evaluation might be in order here.

(non-directed)
Everyone is so damn "offended" these days. Grow a pair, live your life, and stop dragging everyone else down in the gutter. Enough of this me, me, me crap.
post #21 of 83
Quote:
Originally Posted by BostonBoozer View Post

Sorry to nitpick, but I think you meant 255.255.255.255. Yes, there are 256 values for each octet, but it starts at zero, so 255 is the max...

Actually you can't have an address containing 255, since that is used as a mask value.
post #22 of 83
Quote:
Originally Posted by crees! View Post

Offensive? A self-evaluation might be in order here.

(non-directed)
Everyone is so damn "offended" these days. Grow a pair, live your life, and stop dragging everyone else down in the gutter. Enough of this me, me, me crap.

EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.
post #23 of 83
Quote:
Originally Posted by AppleInsider View Post

NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.

WTF? So blame Windows for NAT?

NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?

Quote:
Originally Posted by Axcess99 View Post

but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2

Which also turned out to be silly. Only the login details are sent encrypted, everything else is hanging out there as unencrypted traffic including your email, contacts, iDisk... yet this is apparently not a security issue?

These articles on network security are naïve in the extreme.
post #24 of 83
Quote:
Originally Posted by MiMiC View Post

EXCELLENT POINT! I am so tired of people whining about being offended when someone simply states their opinion. Now if someone sets out to offend, then that is different, but difference of opinion should not construe offense.

When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.

Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.
post #25 of 83
Quote:
Actually you can't have an address containing 255, since that is used as a mask value.

My computer is running right now with the address 172.255.255.10....

I wish people who "think they know something" just kept quiet.

M
post #26 of 83
I'm more offended by open back doors NOT covered by diapers.
post #27 of 83
Quote:
Originally Posted by Booga View Post

When the article refers to a common (and very valid) security practice as "wearing diapers", I'd say it's fair to assume that the author intended offense. He's essentially calling us babies for implementing things that way.

Not that I took offense, because I'm not going to let an author as uninformed as the writer of this piece to offend me, but I'd be surprised to find out that the author wasn't trying to offend.

You really think he was directing criticism of a system at indivual end users? hahahahahahahah
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
post #28 of 83
Prince is the master of metaphors.

I learned a lot of general IP stuff by reading this.

Thanks!
Journalism is publishing what someone doesn't want us to know; the rest is propaganda.
-Horacio Verbitsky (el perro), journalist (b. 1942)
Reply
Journalism is publishing what someone doesn't want us to know; the rest is propaganda.
-Horacio Verbitsky (el perro), journalist (b. 1942)
Reply
post #29 of 83
IPv6 itself definitely does not include IPsec as a protocol feature -- IPsec is layered on top of both IPv4 and IPv6. I haven't looked at the host RFCs for a while, so it's possible that host stacks are mandated to include IPsec when they support IPv6, but it's entirely possible (and in fact quite normal) for IPv6 traffic to be unencrypted. In fact, there is a fairly substantial cost to doing encryption, though AES is fast enough on modern CPUs to make this mostly transparent unless you've got a 100Mb connection or higher. However, the key negotiation is fairly expensive, and not necessarily something you want to do on every connection. In fact, servers would truly hate that -- it would force every server to include hardware crypto acceleration.

So it makes sense that you use IPsec when connection authenticity or confidentiality is an issue, but not necessarily all the time.
post #30 of 83
Quote:
Originally Posted by Mr. H View Post

Plurals don't have apostrophes.

Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."
post #31 of 83
wow. i feel like such a geek for having read all of this, and at the same time am glad i did. sheesh there are a lot of things i don't know.

i'm curious how this would effect many of the content delivery networks out there that are paid big bucks by sites serving rich media to route data on private networks and out of the cloud all together. are they using IPv6 already or would that be a selling point of using one CDN over another?
post #32 of 83
Quote:
Originally Posted by maccam View Post

Sorry Mr. H. The possessive case of nouns that form the plural with "s" do have apostrophes. "All the boys' trousers were soiled after the football match."

You registered just for that?

I don't have room in my signature to be more explicit, but I'm talking about pure plurals. i.e. the plural of "apple" is "apples" not "apple's", the plural of "Mac" is "Macs", not "Mac's" etc. etc. People putting in an apostrophe every damn time they see an "s" at the end of a word drives me nuts!

Edit: huzzah, there's room in the signature after all. 'Tis now fixed
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #33 of 83
Quote:
Originally Posted by 1Gremlin View Post

Apple's internal firewall is a joke, so tunneling IPv6 traffic is asking for some serious issues. Safari broswer and OS can fully run IPv6 unlike Windows Vista/IE junk. Oh besides only two or three US ISP vendors currently offer IPv6 services still going to loose performance do to running dual stacks.

What is wrong with Apple's firewall? Do you mean Leopard's application firewall or ipfw/ip6fw?

Vista can certainly "fully run IPv6."

How does running dual-stack make you lose performance? I run dual-stack every day at work, using a production IPv6 environment, and I don't see any performance problems.
post #34 of 83
Quote:
Originally Posted by Booga View Post

When the article refers to a common (and very valid) security practice as "wearing diapers",

NAT is not a security feature. It is an address conservation system. If you want to prevent users from connecting to your machines, then use a firewall. I don't understand why people don't understand this simple concept.
post #35 of 83
Quote:
Originally Posted by aegisdesign View Post

NAT is pretty darned useful for other purposes than just security by obscurity and on networks that just might have unsecured Macs on them too. It's not like we've not seen exploits on Quicktime have we?

NAT is not a security feature, and it will not protect you from the recent QuickTime vulnerabilities. Those were local exploits. If an attacker could trick a user into loading a malicious media file, they could exploit the hole. NAT offers zero protection from this type of attack.
post #36 of 83
Quote:
Originally Posted by AppleInsider View Post

Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it.


What? Apple has magic tricks ?
Sure not! Those tricks are basics of the IPv4/IPv6 convergence, written into the various IPv6 standards. IPv6 is out there since years. Real backbone provides provide IPv6 routing since years.
Only USA is slow to pick it up. IPv6 is already commonly deployed in Europe and Far East. The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already. Only the desktop's have not made use of it as most (especially american) ADSL & WLAN routers did not support IPv6.

It is very nice of Apple supporting IPv6 in their Airport family but Apple still brings out brand new devices which have no IPv6 support at all!
([ No IPv6 on iPhone 3G & iPhone]).

So saying Apple is brave doing something brand new is wrong. Apple just does what it has to do and even then only halfhearted.
post #37 of 83
Quote:
Originally Posted by jcassara View Post

Yes, but the DNS itself is not doing the background work exclusively.

I don't follow.

Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.

Once you Mac has an IPv6 address, it will try to use it. Namely, it will send DNS queries for AAAA records to any machine you try to connect to (providing that the client software uses v6-aware resolver APIs).
post #38 of 83
Quote:
Originally Posted by kiwi66 View Post

The mechanisms built into IPv6 to let IPv6 contact IPv4 and to create automatic tunnels are there, built into many dual-stack routers already.

What mechanism would that be? I'm not familiar with one. IPv6 and IPv4 are not compatible on the wire. You either need to run dual-stack (give each machines both an IPv4 and an IPv6 address), or use some form of IPv4-to-IPv6 NAT or proxy.
post #39 of 83
So then pls tell me why the soo advanced Apple forgot about IPv6 when it comes to the iPhone ?
post #40 of 83
Quote:
Originally Posted by derekmorr View Post

Mac OS X does not come with a DHCPv6 client. It either uses stateless autoconfiguration or has a manually configured IPv6 address. On a home network, it's reasonable to assume that stateless autoconfig would be used.

Perhaps stateless autoconfig is reasonable for a small/home network, but it's *not* reasonable for a large campus environment.

The kick in the pants is that Apple is said to have no intention of supporting DHCPv6.
About a year ago, apple reps were stating that it was unclear "when, or even *whether*, Apple products will contain DHCPv6 clients"

More recently, at the IETF in March, their decision NOT to include DHCPv6 support was stated more clearly.
I'm still looking for the quotation, but apparently, it's in the audio archives.

- Christopher Chin
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple's secret "Back to My Mac" push behind IPv6